India, Yahoo, Google, and the U.S. government finally have something in common: Chinese cyberattacks.
Hackers in China have been siphoning Indian national security information for eight months now. In recent weeks, there have been China-based attacks on Yahoo! and Google users, and computer spies launched an attack from China and stole terabytes of data on the Air Force's Joint Strike Fighter program.
The attacks underscore just how difficult it has been for countries and corporations to establish viable cyberdefenses. A recent National Research Council report is attempting to make a start. The report, the first part of a broad attempt to find viable options for a cyberdefense policy, identifies three general approaches, each with its own drawbacks.
The first is a passive defense in which security is strengthened in preparation for an attack. This has been the de facto approach for some time, but it fails for two reasons, according to the NRC's Committee on Deterring Cyberattacks. Passive defenses have been too focused on improving vendor and user security, to the detriment of securing infrastructure. For passive defenses, they have to withstand an infinite variety of evolving attacks. As the authors write, that "places a heavy and asymmetric burden on a defensive posture that employs only passive defense."